Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 15011575

1639 questions total · 22pages · All types, answers revealed

Page 20

Page 21 of 22

Page 22
1501
Multi-Selectmedium

Which TWO actions should an analyst take when a confirmed ransomware incident is detected on multiple endpoints? (Choose TWO.)

Select 2 answers
A.Run a full antivirus scan on all endpoints.
B.Isolate affected endpoints using Microsoft Defender for Endpoint.
C.Block known malicious IP addresses and domains in the firewall.
D.Disconnect network cables but leave endpoints powered on.
E.Shut down all affected endpoints to prevent data loss.
AnswersB, C

Immediately contains the threat by isolating devices.

Why this answer

Option A is correct because isolating endpoints stops encryption. Option C is correct because blocking indicators prevents spread. Option B is wrong because it destroys evidence.

Option D is wrong because it allows encryption to continue. Option E is wrong because it's reactive, not immediate containment.

1502
MCQeasy

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What is the purpose of the query?

A.To list all incidents in the last 7 days
B.To count alerts by severity over the last week
C.To find the most recent high-severity alert
D.To identify hunting results
AnswerB

Summarize count by AlertSeverity.

Why this answer

The query counts alerts by severity over the last 7 days and orders by severity descending. Option B is correct. Option A is not about incidents.

Option C is about a single alert. Option D is about hunting.

1503
MCQhard

You are handling an incident where a user's account was used to access sensitive data from an unusual location. Microsoft Entra ID Identity Protection flagged the sign-in as risky. You need to determine if the account is compromised. Which investigation step should you perform first?

A.Block the user from signing in
B.Force a password reset for the user
C.Check if the device used is managed by Intune
D.Review the sign-in details and compare with the user's typical behavior
AnswerD

Determines if the sign-in is anomalous.

Why this answer

Option C is correct because checking the user's recent activity provides context. Option A is wrong because force password reset may alert the attacker. Option B is wrong because blocking sign-in is premature.

Option D is wrong because the device might be the user's personal device.

1504
MCQeasy

Your team uses Microsoft Defender for Endpoint to hunt for signs of credential theft. You want to query for events where a process accesses the LSASS process memory. Which event type should you look for?

A.Process access (Event 4656)
B.Network connection (Event 5156)
C.Registry modification (Event 4657)
D.Process creation (Event 4688)
AnswerA

Event 4656 logs when a process opens another process, such as LSASS.

Why this answer

Option C is correct because LSASS access is logged as a process access event (Event ID 4656) with specific access flags. Option A is wrong because process creation events show new processes, not access to existing ones. Option B is wrong because registry events do not capture process access.

Option D is wrong because network events are unrelated.

1505
Multi-Selecteasy

You are managing Microsoft Defender for Cloud Apps. Which TWO actions can be performed using the Microsoft Defender XDR integration?

Select 2 answers
A.Quarantine malicious emails.
B.Investigate user activities across cloud apps.
C.Govern discovered apps with access policies.
D.Manage device compliance policies in Microsoft Intune.
E.Onboard devices to Microsoft Defender for Endpoint.
AnswersB, C

Defender XDR provides a unified investigation experience.

Why this answer

Defender for Cloud Apps integrated with Defender XDR allows governing apps and investigating user activities. Option B and D are correct. Option A (onboarding devices) is for Defender for Endpoint.

Option C (quarantining emails) is for Office 365. Option E (managing Intune devices) is separate.

1506
Multi-Selectmedium

Your organization uses Microsoft Sentinel with the Azure Activity connector. Which TWO actions should you take to ensure that all subscription-level activity logs are being ingested into Sentinel?

Select 2 answers
A.Install the Azure Activity solution from the content hub.
B.Enable diagnostic settings on each subscription to stream logs to the Sentinel Log Analytics workspace.
C.Assign the 'Reader' role to the Sentinel managed identity on each subscription.
D.Configure the Azure Activity data connector to include all subscriptions.
E.Use the Azure Policy initiative to deploy the connector.
AnswersC, D

The managed identity needs Reader permission to read activity logs.

Why this answer

Options A and C are correct because the connector must have the required permissions and be configured for the correct subscriptions. Option B is not needed for Activity logs; Option D is for diagnostics settings, not necessary; Option E is incorrect.

1507
MCQeasy

A security analyst is investigating a malware incident on an endpoint using Microsoft 365 Defender. The analyst wants to see all processes that were created on the device in the last hour, including the command line arguments. Which advanced hunting table should they query?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceFileEvents
D.DeviceRegistryEvents
AnswerA

This table records process creation events, including the full command line arguments.

Why this answer

The DeviceProcessEvents table in Microsoft 365 Defender's advanced hunting schema captures process creation events, including the command line arguments used to start each process. This directly meets the analyst's need to see all processes created in the last hour with their command-line details, making it the correct table for investigating malware that spawns processes.

Exam trap

The trap here is that candidates often confuse process creation events with network or file events, mistakenly choosing DeviceNetworkEvents or DeviceFileEvents because they associate malware with network traffic or file drops, rather than recognizing that command-line arguments are exclusively stored in DeviceProcessEvents.

How to eliminate wrong answers

Option B (DeviceNetworkEvents) is wrong because it records network connections (e.g., IP addresses, ports, protocols) and not process creation or command-line arguments. Option C (DeviceFileEvents) is wrong because it logs file creation, modification, and deletion events, not process creation or command-line data. Option D (DeviceRegistryEvents) is wrong because it tracks registry key modifications, not process creation or command-line arguments.

1508
MCQhard

Your organization is using Microsoft Defender for Cloud to protect Azure workloads. A critical vulnerability was discovered in a virtual machine that is part of a production application. The vulnerability has a high severity score and is actively being exploited in the wild. You need to respond quickly to mitigate the risk. What is the most effective immediate action?

A.Apply the vendor patch immediately during business hours.
B.Enable just-in-time (JIT) VM access in Microsoft Defender for Cloud to lock down inbound traffic.
C.Modify the network security group (NSG) to block all inbound traffic to the VM.
D.Use the 'Remediate' option in Defender for Cloud to automatically apply the patch.
AnswerB

JIT reduces exposure by only allowing necessary traffic at scheduled times.

Why this answer

Enabling just-in-time (JIT) VM access reduces the attack surface by restricting inbound traffic to the VM, providing immediate protection. Option A is incorrect because patching may take time and could disrupt operations. Option B is incorrect because network security groups (NSGs) are already in place and changing rules may not address the vulnerability directly.

Option D is incorrect because Defender for Cloud does not have automatic patching; it only recommends.

1509
MCQhard

Your SOC uses Microsoft Sentinel with multiple workspaces for different business units. You want to create a single dashboard that shows key performance indicators (KPIs) across all workspaces. Which approach minimizes complexity and query latency?

A.Export data to Azure Data Explorer and build the dashboard there.
B.Ingest all logs into a single workspace and create the dashboard there.
C.Use Power BI to query each workspace separately and combine data.
D.Use cross-workspace queries in a single dashboard that references all workspaces.
AnswerD

Cross-workspace queries allow real-time aggregation without moving data.

Why this answer

Option B is correct because cross-workspace queries in a single dashboard are efficient and avoid data duplication. Option A is wrong because a separate workspace for dashboards adds complexity and latency. Option C is wrong because Azure Data Explorer is not needed for this simple aggregation.

Option D is wrong because Power BI would require data export, adding latency.

1510
MCQmedium

You are a security operations analyst for a company that uses Microsoft Sentinel and Microsoft Defender for Cloud. You have configured the Microsoft Defender for Cloud connector to stream security alerts into Sentinel. However, you notice that some alerts from Defender for Cloud are not appearing in Sentinel. You have verified that the connector is enabled and the subscription is connected. The missing alerts are of the type 'Security misconfiguration' from Azure Policy. You need to ensure all alerts appear in Sentinel. What should you do?

A.Create a custom analytics rule to detect misconfigurations.
B.Re-enable the Microsoft Defender for Cloud data connector.
C.Enable the Defender for Cloud plan on the subscription in Azure Policy.
D.Create a new Microsoft Defender for Cloud data connector for the same subscription.
AnswerC

Required for policy-based alerts to be generated.

Why this answer

The 'Security misconfiguration' alerts from Azure Policy are generated only when the Defender for Cloud plan is enabled on the subscription. The Microsoft Defender for Cloud data connector streams alerts from Defender for Cloud into Sentinel, but if the Defender for Cloud plan is not enabled, those specific policy-based alerts are never generated. Enabling the Defender for Cloud plan on the subscription in Azure Policy ensures that Azure Policy evaluations produce security misconfiguration alerts, which are then ingested by the connector into Sentinel.

Exam trap

The trap here is that candidates assume the data connector is the sole pipeline for all Defender for Cloud alerts, but they overlook that certain alert types (like security misconfigurations) require the Defender for Cloud plan to be explicitly enabled on the subscription to generate those alerts in the first place.

How to eliminate wrong answers

Option A is wrong because creating a custom analytics rule in Sentinel detects events already in the workspace, but it does not generate the missing alerts from Azure Policy; the alerts must first be produced by Defender for Cloud. Option B is wrong because re-enabling the connector does not address the root cause—the connector is already enabled and the subscription is connected, but the alerts are not being generated due to the missing Defender for Cloud plan. Option D is wrong because creating a new data connector for the same subscription is redundant and does not enable the Defender for Cloud plan required to produce the security misconfiguration alerts.

1511
MCQmedium

During a security incident, you need to collect forensic evidence from a compromised Windows device. Which Microsoft Defender for Endpoint action should you use to collect a memory dump?

A.Initiate Live Response
B.Isolate device
C.Collect investigation package
D.Run antivirus scan
AnswerC

Investigation package includes memory dump, registry, and file collection.

Why this answer

Option C is correct because 'Collect investigation package' gathers forensic data including memory dump. Option A is wrong because 'Run antivirus scan' only scans for malware. Option B is wrong because 'Isolate device' disconnects from network but does not collect memory.

Option D is wrong because 'Initiate Live Response' provides remote shell but does not specifically collect memory dump as a single action.

1512
Multi-Selectmedium

Your organization uses Microsoft Sentinel and wants to reduce alert fatigue. Which TWO actions should you take to improve the quality of incidents?

Select 2 answers
A.Create separate incidents for each alert.
B.Create automation rules to close all low-severity incidents automatically.
C.Configure alert grouping in analytics rules to combine related alerts into one incident.
D.Use suppression and tuning rules to filter out known benign activity.
E.Increase the severity of all low-severity alerts to high.
AnswersC, D

Grouping reduces the number of incidents and correlates related alerts.

Why this answer

Options B and D are correct because grouping related alerts into incidents and using tuning rules reduce noise. Option A increases noise; Option C is not recommended; Option E is for automation, not quality.

1513
MCQhard

An organization needs to meet PCI DSS compliance requirements and also enforce a custom policy requiring that encryption keys be stored in a specific Azure Key Vault. The security administrator wants to view a unified compliance score that includes both the built-in PCI DSS standard and the custom policy. What should the administrator do in Microsoft Defender for Cloud?

A.Assign the built-in PCI DSS regulatory compliance standard and add a custom policy through Azure Policy
B.Create a custom initiative that includes the PCI DSS built-in policy set and the custom key vault policy, then assign it to the scope
C.Use Azure Blueprints to deploy the PCI DSS standard and custom policies
D.Enable the Secure Score dashboard to measure compliance
AnswerB

Custom initiatives allow combining multiple policy definitions, including from regulatory compliance standards, into a single assignable set that appears in the regulatory compliance dashboard.

Why this answer

Option B is correct because Microsoft Defender for Cloud's regulatory compliance dashboard can only display a unified compliance score when all relevant standards and custom policies are grouped into a single initiative. By creating a custom initiative that includes both the built-in PCI DSS policy set and the custom Key Vault policy, then assigning that initiative to the scope, the administrator ensures the compliance score reflects both requirements in one view.

Exam trap

The trap here is that candidates assume simply assigning the built-in standard and adding a custom policy separately will merge their scores, but Defender for Cloud requires all policies to be part of the same initiative for a unified compliance score.

How to eliminate wrong answers

Option A is wrong because simply assigning the built-in PCI DSS standard and adding a custom policy through Azure Policy does not merge them into a single compliance score; the custom policy would appear separately and not contribute to the unified score. Option C is wrong because Azure Blueprints is a deployment and orchestration tool, not a compliance scoring mechanism; it cannot aggregate compliance data into Defender for Cloud's regulatory compliance dashboard. Option D is wrong because the Secure Score dashboard measures security posture based on security controls, not regulatory or custom policy compliance; it does not include PCI DSS or custom key vault policies.

1514
Multi-Selecthard

Which TWO steps are necessary to configure Microsoft Sentinel to automatically disable a compromised user account in Microsoft Entra ID when a high-severity incident is created?

Select 2 answers
A.Create a playbook that uses the Microsoft Entra ID 'Disable user' action.
B.Create an automation rule that triggers the playbook when a high-severity incident is created.
C.Enable the Microsoft Defender XDR connector.
D.Enable the Microsoft Entra ID Protection data connector.
E.Create an analytics rule that detects compromised user accounts.
AnswersA, B

The playbook performs the remediation.

Why this answer

Option B is correct because a playbook with a Microsoft Entra ID action can disable the user. Option D is correct because an automation rule triggers the playbook when an incident is created. Option A is wrong because analytics rules create incidents but don't trigger remediation.

Option C is wrong because the Microsoft Entra ID Protection connector is not required; the playbook can connect directly. Option E is wrong because the Microsoft Defender XDR connector is not needed for this scenario.

1515
Multi-Selecteasy

Which TWO are supported methods to ingest syslog data into Microsoft Sentinel?

Select 2 answers
A.Common Event Format (CEF) connector
B.Logstash output plugin
C.Azure Event Hubs
D.Syslog connector using Azure Monitor Agent (AMA)
E.Direct Azure Monitor Agent ingestion without connector
AnswersA, D

CEF is a syslog format.

Why this answer

The Common Event Format (CEF) connector is a supported method because it uses a syslog daemon on a Linux log collector to receive CEF-formatted syslog messages over UDP/TCP (port 514 or 25226) and forwards them to the Log Analytics workspace via the Log Analytics agent. This connector specifically parses CEF headers and maps fields to Sentinel's schema, making it a native ingestion path for security appliances like Palo Alto Networks or Fortinet.

Exam trap

The trap here is that candidates confuse Azure Event Hubs as a direct ingestion method for syslog data, when it is actually a transport layer that requires additional components (like a syslog collector or Logstash) to forward data to Sentinel.

1516
MCQhard

Your organization uses Microsoft Purview to manage insider risk. A user is suspected of exfiltrating data via email. The incident response team needs to preserve a copy of the user's mailbox for legal hold. Which action should be taken?

A.Place the mailbox on an eDiscovery hold.
B.Place the mailbox on litigation hold.
C.Disable the user's multi-factor authentication to prevent access.
D.Apply a Microsoft Purview retention policy to the user's mailbox.
AnswerB

Litigation hold preserves all mailbox content, including deleted items, for legal purposes.

Why this answer

Option C is correct because a litigation hold preserves all mailbox content, including deleted items. Option A is wrong because eDiscovery hold is for specific searches, not full preservation. Option B is wrong because retention policies apply to all mailboxes, not targeted.

Option D is wrong because MFA disablement does not preserve data.

1517
MCQeasy

Refer to the exhibit. You are deploying this analytics rule in Microsoft Sentinel. Which activity will trigger an alert?

A.cmd.exe launching winword.exe
B.Any process creation event
C.Winword.exe execution
D.Any cmd.exe execution
E.Word launching cmd.exe
AnswerE

Exactly matches the query.

Why this answer

The query detects when cmd.exe is created by winword.exe, indicating a potential macro-based attack. It does not look for other processes or parent processes.

1518
MCQmedium

You are investigating a suspicious sign-in reported in Microsoft Defender for Cloud Apps. The activity shows that a user accessed a sensitive SharePoint site from an anonymous IP address. What is the most effective immediate response to prevent further access?

A.Suspend the user account in Microsoft 365 Defender.
B.Change the SharePoint site permissions to remove the user's access.
C.Disable the user's device in Microsoft Intune.
D.Add the anonymous IP address to the blocked IP address list in Conditional Access.
AnswerA

Suspending the user immediately revokes access to all cloud apps until further investigation.

Why this answer

Option D is correct because suspending the user immediately blocks access to all cloud apps. Option A is wrong because disabling the device does not prevent cloud access from other devices. Option B is wrong because changing permissions on the site does not address the user's compromised state.

Option C is wrong because blocking the IP may not be effective if the attacker uses different IPs.

1519
MCQhard

During a ransomware incident, a security analyst needs to isolate an affected Windows 10 device managed by Microsoft Intune. The device is currently online and connected to the corporate network. Which remediation action should be taken from Microsoft Defender XDR to achieve this?

A.Block the device in Microsoft Intune
B.Initiate device isolation from the Microsoft Defender for Endpoint console
C.Disable the Windows Firewall via Intune
D.Run a full antivirus scan from Microsoft Defender for Endpoint
AnswerB

Device isolation blocks all network traffic except to the Defender service, containing the threat.

Why this answer

Option A is correct because device isolation in Microsoft Defender for Endpoint disconnects the device from the network while allowing communication with the Defender service. Option B is wrong because running a full antivirus scan does not isolate the device. Option C is wrong because turning off Windows Firewall would increase exposure.

Option D is wrong because blocking the device in Intune revokes access to resources but does not isolate the device from the network.

1520
MCQeasy

A SOC analyst wants to create an automation rule in Microsoft Sentinel that runs a playbook to disable a user's Microsoft Entra ID account every time an incident is created with a specific 'User' entity (e.g., compromised user). Which condition should be configured in the automation rule?

A.When incident is created, if entity type equals 'Account' and entity value equals 'user@domain.com'
B.When incident is created, if the incident contains a 'User' entity
C.When incident is created with severity High
D.When incident is created, the playbook automatically runs without conditions
AnswerA

This condition ensures the automation rule triggers only when the incident contains the specific user account as an entity. The playbook can then use that entity to disable the user.

Why this answer

Option A is correct because the automation rule must trigger specifically when an incident is created that contains a 'User' entity with a specific value (e.g., user@domain.com). By setting the condition to 'entity type equals Account' and 'entity value equals user@domain.com', the rule ensures the playbook only runs for incidents involving that exact compromised user, preventing unnecessary or incorrect automation. This matches the requirement to disable a specific user's Microsoft Entra ID account based on the entity present in the incident.

Exam trap

The trap here is that candidates often confuse the generic 'contains a User entity' condition (Option B) with the need for a specific entity value, failing to realize that without the exact value, the rule would apply to all incidents with any user entity, not just the targeted compromised user.

How to eliminate wrong answers

Option B is wrong because checking if the incident contains a 'User' entity without specifying the exact entity value would trigger the playbook for any incident with any user entity, not just the targeted compromised user, leading to false positives and potential account lockouts. Option C is wrong because severity High is unrelated to the user entity; the condition must be based on the entity type and value, not the incident severity, to target the specific user. Option D is wrong because automation rules require explicit conditions to run playbooks; running a playbook unconditionally on every incident creation would violate the requirement to target only incidents with the specific 'User' entity.

1521
MCQmedium

Your organization uses Microsoft Sentinel and you have configured a fusion analytics rule for advanced multistage attack detection. You notice that the rule is generating a high number of false positives. What should you do to reduce the false positives without disabling the rule?

A.Disable the fusion rule and create custom analytics rules
B.Add entity exclusions to the fusion rule configuration
C.Modify the fusion rule’s incident creation conditions
D.Reduce the severity threshold for the fusion rule
AnswerB

Fusion rules allow exclusions to reduce false positives.

Why this answer

Option C is correct because fusion rules support tuning by excluding specific entities or alert types. Option A is wrong because disabling the rule is not desired. Option B is wrong because reducing severity does not reduce false positives.

Option D is wrong because the fusion rule is a built-in rule; it cannot be edited for conditions.

1522
MCQeasy

Your organization uses Microsoft Defender XDR to protect endpoints. You need to ensure that all endpoints are reporting to the Defender for Endpoint service and that any devices that have not checked in for more than 7 days are flagged. You have created a custom detection rule in Microsoft Sentinel that queries the DeviceInfo table and generates an incident for devices with a last check-in time older than 7 days. After a week, you notice that no incidents have been generated, even though you know there are some inactive devices. You verify that the DeviceInfo table is populated with data. What is the most likely issue?

A.The KQL query has a logic error, such as using 'where LastSeen > ago(7d)' instead of 'where LastSeen < ago(7d)'.
B.The Microsoft Defender XDR connector is not configured to send DeviceInfo data.
C.The DeviceInfo table requires a special license to query.
D.The analytics rule is not enabled.
AnswerA

Incorrect comparison operator would result in no matching devices.

Why this answer

Option B is correct because the time filter in the query (LastSeen > 7 days) might be incorrectly applied. For example, using 'ago(7d)' instead of 'ago(7d)' in the wrong direction. Option A is wrong because data is being ingested.

Option C is wrong because the rule is enabled. Option D is wrong because the table is populated.

1523
MCQeasy

A company wants to be alerted when a virtual machine is exposed to the internet through a permissive network security group rule. Which Microsoft Defender for Cloud feature provides recommendations and alerts for such misconfigurations?

A.Adaptive network hardening
B.Just-in-time VM access
C.File integrity monitoring
D.Application controls
AnswerA

Adaptive network hardening uses machine learning to analyze traffic patterns and recommends NSG rule changes, alerting on internet-exposed VMs due to overly permissive rules.

Why this answer

Adaptive network hardening (ANH) in Microsoft Defender for Cloud analyzes actual traffic patterns, NSG rules, and internet-facing endpoints to identify overly permissive rules that expose VMs to the internet. It then provides actionable recommendations to tighten those rules and can generate security alerts when such misconfigurations are detected. This directly matches the requirement for alerts on internet exposure via permissive NSG rules.

Exam trap

The trap here is confusing a feature that actively controls access (like JIT VM access) with one that detects and alerts on existing misconfigurations (adaptive network hardening), leading candidates to choose JIT because it also deals with internet exposure, but it does not generate alerts for permissive NSG rules.

How to eliminate wrong answers

Option B (Just-in-time VM access) is wrong because it controls inbound access by temporarily opening ports only when needed, but it does not analyze existing NSG rules for permissive internet exposure or generate alerts for misconfigurations. Option C (File integrity monitoring) is wrong because it monitors changes to critical files, registry keys, and system files for compliance and forensic purposes, not network security group rules or internet exposure. Option D (Application controls) is wrong because it uses allow/deny lists to control which applications can run on VMs, focusing on executable and script control, not network security group rule analysis or internet exposure alerts.

1524
Multi-Selectmedium

Which THREE of the following are valid incident response actions in Microsoft Defender XDR?

Select 3 answers
A.Isolate a device.
B.Reset user password.
C.Block a malicious URL.
D.Delete an email message.
E.Disable a user account.
AnswersA, D, E

Isolation is a response action available in Defender XDR.

Why this answer

Options A, C, and E are correct because isolating a device, disabling a user account, and deleting an email are common response actions. Option B is wrong because resetting a password is done in Microsoft Entra ID. Option D is wrong because blocking a URL is done in Defender for Office 365, not directly in Defender XDR incident actions.

1525
Multi-Selecteasy

Which TWO are valid incident response actions in Microsoft Sentinel?

Select 2 answers
A.Change the incident status to Active.
B.Run a KQL query from the incident.
C.Assign the incident to an analyst.
D.Merge the incident with another incident.
E.Add a comment to the incident.
AnswersA, C

Changing incident status is a valid action.

Why this answer

Options A and C are correct. Changing incident status and assigning owner are standard actions. Options B, D, and E are not valid: adding comments is a separate action, running a query is not an incident action, and merging incidents is already done via automation.

1526
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Entra ID. You need to implement a solution that automatically disables a user account in Microsoft Entra ID when a high-severity incident involving that user is created in Sentinel. The solution must also send a notification to the security team. You have a playbook that disables the user and sends an email. What should you configure to trigger the playbook?

A.Configure the playbook to run on a schedule and query incidents.
B.Create a workbook that triggers the playbook when a high-severity incident appears.
C.Create an automation rule that runs when an incident is created with severity High and triggers the playbook.
D.Configure the playbook as a response action in the analytics rule that generates the incident.
AnswerC

Correct: Automation rules can trigger playbooks on incident creation.

Why this answer

Option B is correct because automation rules can trigger playbooks on incident creation with conditions. Option A is wrong because analytics rules trigger playbooks but on alert creation, not incident creation. Option C is wrong because playbooks must be triggered by automation rules or analytics rules.

Option D is wrong because workbooks cannot trigger playbooks.

1527
MCQmedium

Your Microsoft Sentinel environment is not generating incidents from a custom KQL detection rule. The rule runs successfully in the Log Analytics query editor but no incidents appear. What is the most likely cause?

A.The rule's alert grouping settings are misconfigured
B.The rule is set to create alerts but not incidents
C.The rule's query schedule is too long
D.The rule does not have entity mapping configured
AnswerD

Entity mapping is required for incident creation from custom rules.

Why this answer

The most likely cause is that the rule is set to create alerts but not incidents. In Microsoft Sentinel, a custom KQL detection rule can be configured to generate alerts, but incidents are only created if the 'Create incident from alerts triggered by this rule' option is enabled. Since the rule runs successfully in Log Analytics (meaning the query logic is correct), the absence of incidents points to a configuration issue where alerts are generated but not promoted to incidents.

Exam trap

The trap here is that candidates often assume a successful query execution guarantees incident creation, but they overlook the separate incident creation toggle, which is a distinct configuration step in the analytics rule wizard.

How to eliminate wrong answers

Option A is wrong because alert grouping settings control how alerts are grouped into a single incident (e.g., by entity or time window), but they do not prevent incidents from being created entirely; if incidents are enabled, misconfigured grouping might cause unexpected grouping, not a total absence of incidents. Option B is wrong because this is the correct description of the issue—the rule is set to create alerts but not incidents, which directly explains why no incidents appear despite successful query execution. Option C is wrong because a long query schedule (e.g., running every 24 hours) would delay incident creation but not prevent it; incidents would still appear after the scheduled run if the rule is configured to create them.

1528
Matchingmedium

Match each Microsoft Sentinel feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Define conditions that generate incidents

Visualize data using custom dashboards

Proactively search for threats

Automate responses using Azure Logic Apps

Detect anomalous behavior based on entity analytics

Why these pairings

These features are core to Microsoft Sentinel's SIEM/SOAR capabilities.

1529
MCQeasy

During an incident response, your team identifies a suspicious PowerShell command executed on multiple devices. Which Microsoft Defender XDR feature should you use to block the command across all endpoints immediately?

A.Potentially Unwanted Application (PUA) protection
B.Indicators of compromise (IoC)
C.Attack Surface Reduction (ASR) rules
D.Device Control policies
AnswerB

IoC allows blocking of malicious commands via custom indicators.

Why this answer

Option C is correct because Microsoft Defender XDR's Indicator of Compromise (IoC) allows custom indicators to block file hashes, IPs, URLs, or commands. Option A is wrong because ASR rules are broader and not designed for ad-hoc command blocking. Option B is wrong because Device Control manages hardware peripherals.

Option D is wrong because PUA protection targets potentially unwanted applications, not specific commands.

1530
MCQmedium

Your organization uses Microsoft Defender for Identity. You need to receive alerts when suspicious LDAP queries are detected. What should you configure?

A.Set up an anomaly detection policy in Microsoft Defender for Cloud Apps.
B.Configure alert rules in Microsoft Defender for Identity.
C.Assign the Security Administrator role in Microsoft Entra ID.
D.Create a custom sensitivity label in Microsoft Purview.
AnswerB

Defender for Identity has built-in alert rules for LDAP reconnaissance.

Why this answer

Option B is correct because Microsoft Defender for Identity includes a set of default alert rules that cover LDAP queries. Option A is incorrect because Microsoft Purview is for compliance. Option C is incorrect because Microsoft Defender for Cloud Apps is for cloud apps.

Option D is incorrect because Microsoft Entra ID roles are for identity governance.

1531
MCQmedium

Your organization has Microsoft Defender for Cloud Apps and Microsoft Sentinel integrated. The security team wants to receive alerts when a user's activity from an anonymous IP address exceeds a certain risk score. What should you configure in Defender for Cloud Apps?

A.Anomaly detection policy
B.File policy
C.Activity policy
D.App discovery policy
AnswerC

Activity policies can monitor and alert on specific user activities based on conditions like IP category and risk score.

Why this answer

Option C is correct because activity policies in Defender for Cloud Apps allow you to monitor and alert on specific user activities, such as those from anonymous IP addresses, and can trigger alerts based on risk score thresholds. Option A is wrong because anomaly detection policies detect unusual behavior patterns, not specific activity from anonymous IPs. Option B is wrong because app discovery policies are for discovering cloud apps, not user activities.

Option D is wrong because file policies are for monitoring file access and sharing.

1532
MCQhard

You are reviewing the ARM template snippet shown in the exhibit. What is the purpose of this template?

A.Create a workbook in Azure Monitor
B.Create an analytics rule in Microsoft Sentinel
C.Create a saved search in a Log Analytics workspace
D.Create a data connector in Microsoft Sentinel
AnswerC

The resource type is savedSearches, which creates a saved search.

Why this answer

Option A is correct because the template creates a saved search (which is a query) in a Log Analytics workspace. Option B is wrong because it creates a saved search, not a workbook. Option C is wrong because it creates a saved search, not an analytics rule.

Option D is wrong because it creates a saved search, not a data connector.

1533
MCQeasy

Refer to the exhibit. You deploy this ARM template to your subscription. After deployment, you cannot find the saved search 'Test Search' in the Microsoft Sentinel workspace. What is the most likely reason?

A.The resource type should be for analytics rules, not saved searches.
B.The query 'Heartbeat | summarize Count() by Computer' is invalid.
C.The apiVersion is incorrect.
D.The name concatenation is missing a parameter.
AnswerA

Sentinel uses alertRules, not savedSearches.

Why this answer

Option A is correct because the ARM template deploys a resource of type 'Microsoft.OperationsManagement/solutions' with a saved search, but Microsoft Sentinel does not use saved searches for analytics rules. In Sentinel, detection rules are created as 'Microsoft.SecurityInsights/alertRules', not as saved searches under a Log Analytics workspace. The template's resource type is mismatched for the intended functionality, so the saved search 'Test Search' will not appear as a Sentinel analytics rule.

Exam trap

The trap here is that candidates assume any KQL query deployed via ARM template in a Log Analytics workspace will automatically appear as a Sentinel analytics rule, but Microsoft requires the correct resource provider and type for Sentinel-specific features.

How to eliminate wrong answers

Option B is wrong because the query 'Heartbeat | summarize Count() by Computer' is syntactically valid KQL and would execute successfully in Log Analytics; it is not the reason the saved search is missing. Option C is wrong because the apiVersion '2015-11-01-preview' is a valid and supported version for Log Analytics saved searches and solutions; an incorrect apiVersion would cause a deployment error, not a silent failure to find the search. Option D is wrong because the name concatenation '[concat(parameters('workspaceName'), '/', variables('savedSearchName'))]' is correctly formatted and includes all required parameters; missing a parameter would cause a deployment failure, not a missing search.

1534
MCQhard

You are the security operations lead for a multinational company that uses Microsoft Sentinel in a single workspace. You have recently onboarded 10 new business units, each with their own analytics rules and automation. The security team is overwhelmed by the number of low-fidelity incidents generated. You need to reduce noise without disabling critical detections. You must ensure that each business unit retains ownership of their incidents and can customize their own suppression rules. You also need centralized reporting on incident trends across all business units. You have identified that many low-fidelity alerts come from a common set of data sources. What should you do?

A.Disable the data connectors that produce the most noise.
B.Create an automation rule that automatically closes low-severity incidents.
C.Create a separate analytics rule for low-fidelity alerts that uses alert suppression to group similar alerts.
D.Create a workbook that filters out low-severity incidents from the dashboard.
AnswerC

Alert suppression reduces noise while maintaining detection capability.

Why this answer

Option C is correct because creating a separate analytics rule for low-fidelity alerts with alert suppression enabled allows you to group similar alerts into a single incident, reducing noise without disabling the underlying data connectors or critical detections. This approach preserves each business unit's ownership of their incidents and enables them to customize suppression rules via automation rules or analytics rule settings, while centralized reporting on incident trends remains intact because the workspace still ingests all alerts.

Exam trap

The trap here is that candidates often confuse reducing noise with simply hiding or closing incidents after they are generated, rather than preventing the noise at the analytics rule level through alert suppression, which is the only option that reduces incident volume while preserving data fidelity and per-unit customization.

How to eliminate wrong answers

Option A is wrong because disabling data connectors that produce noise would also remove all alerts from those sources, potentially disabling critical detections that rely on the same data, and it does not allow per-business-unit customization. Option B is wrong because automatically closing low-severity incidents via an automation rule does not reduce the number of incidents generated; it only closes them after creation, still overwhelming the queue and potentially hiding legitimate low-severity incidents that require investigation. Option D is wrong because creating a workbook that filters out low-severity incidents only changes the dashboard view, not the actual incident generation or noise reduction, and it does not address the root cause of excessive low-fidelity alerts.

1535
MCQhard

Refer to the exhibit. A threat hunter creates a scheduled analytics rule in Microsoft Sentinel using this query. The rule triggers frequently but generates many false positives. What is the best way to improve the rule's precision?

A.Add a filter on Severity to only include High and Medium alerts.
B.Disable MITRE ATT&CK technique mapping.
C.Add EntityMapping to map the compromised entity to an account.
D.Increase the query frequency to run every hour.
AnswerA

Filtering by severity reduces false positives from low-severity alerts.

Why this answer

Option D is correct because adding a condition like Severity reduces false positives by filtering out informational alerts. Option A is wrong because adding EntityMapping doesn't change the query logic. Option B is wrong because increasing the frequency may cause more false positives.

Option C is wrong because turning off MITRE ATT&CK mapping doesn't affect false positives.

1536
MCQhard

The KQL query above is used in a threat hunt. What is the most likely scenario this query is designed to detect?

A.Identification of lateral movement using PsExec
B.Discovery of data exfiltration using FTP
C.Hunting for code execution via rundll32.exe loading JavaScript
D.Detection of regsvr32.exe being used to execute scriptlet files
AnswerC

The combination of PowerShell spawning rundll32 with 'javascript:' indicates potential code execution via JavaScript.

Why this answer

The query looks for PowerShell spawning rundll32.exe with a command line containing 'javascript:', which is a common technique to execute JavaScript via rundll32 as a form of code execution or bypass. Option A is incorrect because regsvr32.exe is not involved. Option B is for lateral movement, not shown.

Option D is for data exfiltration, not indicated.

1537
MCQhard

The exhibit shows a KQL query used in a Microsoft 365 Defender custom detection rule. The query is intended to detect encoded PowerShell commands executed in the last hour. However, the detection rule is not generating any alerts even though the SOC knows that encoded PowerShell commands are being executed. Which modification would most likely fix the detection rule?

A.Change `contains` to `has` for better performance and accuracy.
B.Add a condition to also look for `-EncodedCommand` in the command line.
C.Modify the query to use `project-away` instead of `project`.
D.Replace `FileName == "powershell.exe"` with `InitiatingProcessFileName == "powershell.exe"`.
AnswerB

The `-enc` flag is an alias for `-EncodedCommand`, but the query should explicitly check for `-EncodedCommand` to ensure detection of all variations.

Why this answer

The query uses `contains` which is case-insensitive, but the problem is that the rule might be running on a different time range or the query may not be scheduled to run frequently enough. However, the most likely issue is that the query uses `Project` instead of `project` (case sensitivity in KQL is not an issue), but actually KQL is case-insensitive for keywords. A common mistake is that the query uses `project` correctly.

Actually, the issue might be that the detection rule is not including the right data source or the query is not scheduled. But given the options, the most plausible fix is to change `contains` to `has` because `contains` will match substrings like "-encodedcommand" but also "-enc" inside other words, but the real issue might be that the query is not using `has_any` for performance. However, among the options, the correct one is to add a condition to filter on `InitiatingProcessFileName` to ensure only powershell.exe is considered? No, the query already filters on FileName.

Let's re-analyze: The query uses `DeviceProcessEvents` which is from Microsoft 365 Defender. The detection rule might not be triggering because the query uses `ago(1h)` which is relative to the time the query runs, but if the rule runs every hour, it might miss events that happen just after the query runs. However, the rule should include all events from the last hour.

The more likely issue is that the query uses `contains "-enc"` which will match any string containing "-enc", but the encoded command flag in PowerShell is "-EncodedCommand". However, the query also checks for "-e" which would match many commands. But the real problem might be that the query is not filtering out legitimate uses.

Option A is correct because the query should also look for the `-EncodedCommand` parameter explicitly. Option B is wrong because using `has` instead of `contains` would be more accurate but not the main issue. Option C is wrong because the query already filters on FileName.

Option D is wrong because the query already uses Project.

1538
MCQhard

A SOC team uses Microsoft Sentinel. They receive a large volume of low-severity incidents from a specific analytics rule that causes alert fatigue. They want to automatically close incidents that match certain criteria (e.g., originating from a known test IP). Which feature should they configure?

A.Automation rules with a condition to close incidents
B.Playbook with a timer trigger
C.Watchlist integration
D.Fusion rule
AnswerA

Automation rules can be configured with conditions (e.g., if the source IP is in a watchlist) and an action to close the incident, effectively suppressing unwanted alerts.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically close incidents based on specific conditions, such as a known test IP address. This directly addresses alert fatigue by suppressing low-severity incidents without manual intervention. Unlike playbooks, automation rules are lightweight and run natively within Sentinel without requiring a Logic Apps instance.

Exam trap

Microsoft often tests the distinction between automation rules (native, condition-based actions) and playbooks (external Logic Apps workflows), leading candidates to incorrectly choose a playbook when a simpler automation rule suffices.

How to eliminate wrong answers

Option B is wrong because a playbook with a timer trigger runs on a schedule, not in response to an incident being created; it cannot automatically close incidents based on real-time criteria like source IP. Option C is wrong because a watchlist is a data reference object used for enrichment or correlation in queries and rules, not a mechanism to automatically close incidents. Option D is wrong because a Fusion rule is a correlation-based analytics rule that reduces alert fatigue by combining alerts into high-fidelity incidents, but it does not close existing incidents based on custom criteria like a test IP.

1539
MCQhard

Your team is using Microsoft Sentinel to hunt for signs of Kerberos golden ticket attacks. You have enabled Advanced Security Audit Policy on domain controllers to log Kerberos service ticket operations (Event ID 4769). You need to create a KQL query that identifies potential golden ticket use by looking for service tickets that have anomalous attributes, such as ticket encryption type 0x17 (RC4) combined with a long lifetime or unusual service names. Which KQL query should you use?

A.SecurityEvent | where EventID == 4769 and TicketEncryptionType == '0x17'
B.SecurityEvent | where EventID == 4769 and TicketEncryptionType == '0x12' and TicketOptions contains '0x2'
C.SecurityEvent | where EventID == 4769 and TicketEncryptionType == '0x17' and (TicketOptions contains '0x2' or ServiceName !startswith 'krbtgt')
D.SecurityEvent | where EventID == 4768 and TicketEncryptionType == '0x17'
AnswerC

Correctly identifies RC4 tickets with renewable flag or non-default service.

Why this answer

Option A correctly filters for RC4 encryption type (0x17), a common indicator of forged tickets, and checks for long lifetime (TicketOptions contains '0x2' for renewable) and unusual services. Option B uses wrong encryption type; Option C only filters for encryption type without anomaly checks; Option D uses wrong event ID (4768 is for TGT requests).

1540
MCQmedium

Your threat hunt involves correlating alerts from Microsoft Defender for Cloud Apps with Microsoft Defender for Endpoint. Which Microsoft Sentinel integration should you use to unify these alerts for hunting?

A.Microsoft Sentinel's unified analytics rules and incident creation
B.Power Automate flows to merge alerts
C.Microsoft Graph API to pull alerts into a custom database
D.Azure Monitor Workbooks to display alerts side by side
AnswerA

Microsoft Sentinel ingests alerts from all Microsoft Defender products and allows cross-correlation.

Why this answer

Option A is correct because Microsoft Sentinel provides built-in connectors and analytics rules to correlate alerts across Microsoft Defender XDR, including Defender for Cloud Apps and Defender for Endpoint. Option B (Microsoft Graph API) is programmatic but not a unified hunting experience. Option C (Azure Monitor Workbooks) visualizes but does not correlate.

Option D (Power Automate) automates responses but not correlation.

1541
MCQmedium

A company uses Microsoft Defender for Cloud with Defender for Containers enabled. The security team wants to view security alerts generated for their Azure Kubernetes Service (AKS) clusters. Where should they navigate to see these alerts?

A.In the Microsoft Defender for Cloud 'Security alerts' page.
B.In Microsoft Sentinel incidents.
C.In the Microsoft 365 Defender portal.
D.In Azure Monitor alerts.
AnswerA

Correct. All Defender for Cloud alerts, including those for containers, are listed in the Security alerts blade.

Why this answer

Microsoft Defender for Cloud is the central console for security alerts generated by Defender for Containers, including those for AKS clusters. The 'Security alerts' page within Defender for Cloud aggregates all cloud workload protection alerts, making it the correct location to view AKS-specific alerts. Alerts from Defender for Containers are automatically surfaced here without additional configuration.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender portal (unified for Microsoft 365 security) with Defender for Cloud (for cloud workloads), leading them to choose Option C instead of the correct Azure-native security alerts page.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel incidents require a separate SIEM integration and are not the native location for Defender for Cloud alerts; alerts must be forwarded via connector to appear there. Option C is wrong because the Microsoft 365 Defender portal focuses on endpoint, email, and identity threats, not cloud workload alerts from AKS. Option D is wrong because Azure Monitor alerts are designed for infrastructure metrics and logs, not the security-specific, contextual alerts generated by Defender for Cloud's threat detection engines.

1542
MCQmedium

A security analyst is building a custom detection rule in Microsoft 365 Defender to identify ransomware activity. The rule should trigger when files with specific extensions (e.g., .encrypted, .locked) are created on multiple devices within a short time frame, suggesting a widespread attack. Which combination of advanced hunting tables should be used to obtain both file creation events and device information?

A.DeviceFileEvents and DeviceInfo
B.DeviceProcessEvents and DeviceInfo
C.DeviceFileEvents and DeviceNetworkEvents
D.DeviceFileEvents and DeviceLogonEvents
AnswerA

Correct. DeviceFileEvents contains file creation (ActionType 'FileCreated') details including SHA256, file name, and folder path. Joining with DeviceInfo provides device metadata like device name and OS. This combination directly supports the requirement.

Why this answer

Option A is correct because DeviceFileEvents captures file creation events, including the specific extensions like .encrypted and .locked, while DeviceInfo provides device metadata such as device name, OS platform, and device group. Joining these tables on DeviceId allows the analyst to correlate file creation events across multiple devices, enabling detection of widespread ransomware activity within a short time frame.

Exam trap

The trap here is that candidates may confuse file creation events with process creation events (DeviceProcessEvents) or network events (DeviceNetworkEvents), overlooking that only DeviceFileEvents directly captures the file extension data needed for ransomware detection.

How to eliminate wrong answers

Option B is wrong because DeviceProcessEvents logs process creation events (e.g., command-line executions), not file creation events; it cannot directly identify files with specific extensions being created. Option C is wrong because DeviceNetworkEvents captures network connections and DNS queries, not file creation events; it provides no visibility into local file system changes. Option D is wrong because DeviceLogonEvents records authentication events (logon/logoff), not file creation events; it cannot detect the creation of encrypted or locked files.

1543
MCQhard

Refer to the exhibit. An automation rule in Microsoft Sentinel is configured as shown. When a high-severity incident is created, what is the expected behavior?

A.All actions execute successfully: task created, playbook runs, incident owner set to SOC-Tier1.
B.The rule fails to run because the actions are not in valid JSON format.
C.The task is created, then the playbook runs, but the incident modification fails because the owner is incorrectly formatted.
D.The playbook runs first, then the task is created, then the incident is modified.
AnswerC

The owner field should be an object with objectId and email.

Why this answer

Option C is correct because the automation rule in Microsoft Sentinel executes actions sequentially. The task creation and playbook run succeed, but the incident modification fails because the owner field is incorrectly formatted. Sentinel expects the incident owner to be specified as a user principal name (UPN) or object ID, not a plain text string like 'SOC-Tier1'.

Exam trap

The trap here is that candidates assume all actions in an automation rule execute independently and ignore the specific formatting requirements for the incident owner field, leading them to select Option A or D.

How to eliminate wrong answers

Option A is wrong because the incident modification action fails due to the invalid owner format, so not all actions execute successfully. Option B is wrong because the rule actions are defined in the Sentinel UI as structured JSON, which is valid; the failure is due to runtime validation of the owner value, not JSON syntax. Option D is wrong because the actions execute in the order listed in the rule: task creation first, then playbook, then incident modification; the playbook does not run first.

1544
MCQeasy

A security operations analyst is reviewing recommendations in Microsoft Defender for Cloud. For a virtual machine that is missing critical security updates, which recommendation category will highlight this issue?

A.Secure score
B.Regulatory compliance
C.Workload protections
D.Inventory
AnswerA

Secure score includes recommendations for remediating vulnerabilities like missing critical updates.

Why this answer

In Microsoft Defender for Cloud, the Secure score category directly reflects the security posture of your resources by tracking the implementation of security recommendations. Missing critical security updates on a virtual machine are flagged as a recommendation within this category, and resolving them improves your secure score percentage. This is because secure score is calculated based on the compliance status of each recommendation, with missing updates being a key control for vulnerability management.

Exam trap

The trap here is that candidates often confuse the 'Regulatory compliance' category with security update tracking, but regulatory compliance only shows compliance with specific standards, not the operational status of missing patches.

How to eliminate wrong answers

Option B is wrong because Regulatory compliance focuses on aligning your environment with specific compliance standards (e.g., ISO 27001, SOC 2) and does not directly surface missing security updates as a standalone recommendation category. Option C is wrong because Workload protections is a category for enabling and managing advanced threat protection plans (e.g., Defender for Servers, Defender for SQL) and does not list individual missing update recommendations. Option D is wrong because Inventory provides a list of all resources and their metadata, but it does not categorize or prioritize missing security updates as a recommendation; it is a resource discovery tool, not a recommendation category.

1545
MCQmedium

Your Microsoft Sentinel workspace ingests logs from multiple sources. During an incident, you need to quickly identify all user accounts that have been compromised based on a known malicious IP address. Which KQL operator is most efficient for this?

A.summarize
B.where
C.lookup
D.join kind=inner
AnswerC

lookup is optimized for enriching a large table with a small reference table.

Why this answer

Option B is correct because the lookup operator is optimized for joining large tables with a small reference set (the malicious IP). Option A is wrong because join is less efficient for this pattern. Option C is wrong because where clause would require filtering each row individually.

Option D is wrong because summarize is for aggregation, not matching.

1546
Multi-Selecthard

Which TWO of the following are valid approaches to perform threat hunting using Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Using Fusion analytics rule
B.Using the Hunting blade and Livestream
C.Using Automation rules to trigger playbooks
D.Using KQL queries in the Logs blade
E.Using Azure Policy to enforce compliance
AnswersB, D

Hunting blade provides predefined queries and livestream for real-time hunting.

Why this answer

The Hunting blade in Microsoft Sentinel provides a dedicated interface for proactive threat hunting, allowing analysts to run KQL queries and pivot through results. Livestream extends this by enabling continuous, real-time query execution against incoming data, which is essential for detecting patterns that evolve over minutes or hours. Both features are explicitly designed for iterative, hypothesis-driven threat hunting rather than automated detection.

Exam trap

The trap here is that candidates confuse automated detection rules (like Fusion) or response automation (like playbooks) with the manual, iterative process of threat hunting, which requires interactive querying and live monitoring rather than passive alerting.

1547
MCQmedium

You are investigating a potential malicious PowerShell execution in Microsoft Defender for Endpoint using this KQL query in Advanced Hunting. The query returns no results. What is the most likely cause?

A.The column names are incorrect; 'InitiatingProcessFileName' should be 'ParentProcessFileName'.
B.The table name should be 'DeviceProcessEvents' instead of 'DeviceEvents'.
C.The 'take 100' operator limits results to only 100, but the query may return results if more data exists.
D.The query uses 'ago(7d)' which may be too short for historical data.
AnswerB

Process creation events are in DeviceProcessEvents, not DeviceEvents.

Why this answer

Option C is correct because DeviceEvents table is not part of Defender for Endpoint schema; the correct table is DeviceProcessEvents. Option A is wrong because 'take 100' does not affect the query logic. Option B is wrong because the column names are correct.

Option D is wrong because the time range is valid.

1548
MCQmedium

Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). During an incident investigation, you identify that a user account has been exhibiting anomalous behavior, such as logging in from multiple countries within a short time. You need to determine if the account is compromised and take appropriate action. What should you do first?

A.Disable the user account in Microsoft Entra ID.
B.Review the UEBA insights for the user to understand the anomaly.
C.Create a custom automation rule in Sentinel to disable the account on similar alerts.
D.Reset the user's password immediately.
AnswerB

UEBA provides context on whether the behavior is unusual for that user.

Why this answer

Option C is correct because UEBA provides risk scores and peer comparisons that can help determine if the behavior is truly anomalous. Option A is wrong because resetting the password without investigation may not be necessary if the behavior is legitimate. Option B is wrong because disabling the account is premature.

Option D is wrong because creating an automation rule is a response step, not an investigation step.

1549
MCQeasy

Your SOC team receives a high-priority incident related to a potential malware outbreak. You need to quickly identify all affected devices and users across the environment. What Microsoft Defender XDR feature should you use?

A.Advanced hunting
B.Action center
C.Incident graph
D.Microsoft Sentinel workbook
AnswerC

The incident graph provides a visual representation of the attack story.

Why this answer

Option B is correct because the incident graph visually maps the relationships between alerts, devices, users, and entities. Option A is wrong because advanced hunting is query-based and slower for immediate triage. Option C is wrong because action center is for remediation actions.

Option D is wrong because a workbook is for reporting.

1550
MCQhard

During a hunt, you discover that an attacker used a valid but compromised service principal to authenticate to Azure Key Vault and export secrets. Which Microsoft Sentinel hunting query would best identify similar activity across your environment?

A.AADManagedIdentitySignInLogs | where ResultType == 0
B.ServicePrincipalSignInLogs | where ResultType == 0 | where ResourceDisplayName contains 'Key Vault'
C.SigninLogs | where ResultType == 0 | where AppDisplayName contains 'Key Vault'
D.AADUserRiskEvents | where RiskEventType == 'compromised'
AnswerB

ServicePrincipalSignInLogs captures sign-ins for non-user identities, and filtering on Key Vault resource identifies access to secrets.

Why this answer

Option C is correct because ServicePrincipalSignInLogs track service principal sign-ins, and auditing for successful access to Key Vault can reveal similar compromises. Option A is wrong because it's about user sign-ins. Option B is wrong because it's for user risk.

Option D is wrong because it's for managed identity, not all service principals.

1551
MCQmedium

You are a security analyst. You notice that Microsoft Sentinel is not receiving logs from Microsoft 365 Defender incidents. The diagnostic settings in Microsoft 365 Defender are configured to send data to the Sentinel workspace. What should you check first?

A.Check if the Microsoft Sentinel solution is installed.
B.Verify that the Log Analytics workspace is in the same region as the Sentinel workspace.
C.Ensure the Microsoft 365 Defender data connector in Microsoft Sentinel is enabled.
D.Check the 'SecurityIncident' table schema for missing columns.
AnswerC

The connector must be enabled to receive the data.

Why this answer

Option C is correct because the Microsoft Sentinel data connector for Microsoft 365 Defender must be enabled to ingest the incidents. Options A and B are irrelevant for data ingestion. Option D is for table schema, not ingestion.

1552
MCQmedium

You are a security analyst for a company that uses Microsoft Defender XDR. You receive a high-severity incident indicating that a user's device has been compromised with a remote access trojan (RAT). The incident is automatically generated by Microsoft Defender XDR. You need to contain the threat immediately while preserving forensic data. You also need to ensure that the user can continue working with minimal disruption. What should you do?

A.Initiate device isolation from Microsoft Defender XDR.
B.Restore the device from a recent backup.
C.Run a full antivirus scan on the device.
D.Reset the user's password and force a sign-out.
AnswerA

Isolation contains the threat and preserves evidence.

Why this answer

Option A is correct because initiating device isolation from Microsoft Defender XDR immediately disconnects the device from the network while preserving forensic data on the device. This contains the RAT's command-and-control communication without disrupting the user's ability to work offline, and it allows the security team to investigate the compromised device without risk of lateral movement or data exfiltration.

Exam trap

The trap here is that candidates may choose a reactive remediation step like running a scan or resetting credentials, failing to recognize that immediate containment via network isolation is the priority to stop active compromise while preserving evidence.

How to eliminate wrong answers

Option B is wrong because restoring from a recent backup would overwrite existing forensic data, potentially destroying evidence of the RAT's installation and persistence mechanisms, and it does not contain the active threat in real time. Option C is wrong because running a full antivirus scan is a reactive, time-consuming step that does not immediately stop the RAT from communicating or spreading; the threat remains active during the scan. Option D is wrong because resetting the user's password and forcing a sign-out does not address the device-level compromise; the RAT would still be present on the device and could re-establish access or capture new credentials.

1553
MCQmedium

Your organization has deployed Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all Defender XDR incidents are automatically synchronized into Microsoft Sentinel for a single pane of glass. What should you configure?

A.Enable the Microsoft Sentinel data connector for Microsoft Defender XDR
B.Use Microsoft Graph API to sync incidents daily
C.Create an automation rule in Microsoft Sentinel to create incidents from Defender XDR alerts
D.Configure Microsoft Defender XDR to forward incidents to Sentinel using a webhook
AnswerA

This connector automatically ingests Defender XDR incidents into Sentinel.

Why this answer

Option A is correct because the Microsoft Sentinel data connector for Microsoft Defender XDR is the native integration that automatically synchronizes all Defender XDR incidents into Sentinel. This connector ingests incidents, alerts, and evidence from Defender XDR into the Sentinel workspace, enabling a single pane of glass without requiring custom scripting or manual workflows.

Exam trap

The trap here is that candidates often confuse alert-based connectors (like the Microsoft Defender for Endpoint connector) with the incident-level Microsoft Defender XDR connector, or they assume that automation rules or webhooks are the correct method for incident synchronization, when the native connector is the only supported and recommended approach.

How to eliminate wrong answers

Option B is wrong because using Microsoft Graph API to sync incidents daily would require custom development, polling logic, and manual scheduling, which is not a built-in or supported method for automatic incident synchronization; the native connector handles this in real time. Option C is wrong because creating an automation rule in Sentinel to create incidents from Defender XDR alerts would only process individual alerts, not the correlated incidents that Defender XDR generates, and would bypass the incident-level synchronization provided by the connector. Option D is wrong because configuring Defender XDR to forward incidents to Sentinel using a webhook is not a supported feature; Defender XDR does not have a native webhook export for incidents, and even if implemented via Logic Apps, it would be a custom, non-standard approach compared to the official connector.

1554
MCQmedium

Your threat hunt identifies a process that is making outbound connections to an unknown IP address. Which Microsoft Defender for Endpoint action can you take to immediately isolate the device?

A.Isolate device
B.Collect investigation package
C.Block file
D.Run antivirus scan
AnswerA

Immediately disconnects the device from the network.

Why this answer

Option A is correct because Isolate device disconnects the device from the network. Option B only runs a scan. Option C collects investigation package.

Option D blocks the file but doesn't isolate.

1555
MCQmedium

A security analyst wants to configure a playbook in Microsoft Sentinel that runs automatically when a specific alert is generated. Which trigger concept is used to invoke the playbook?

A.Azure Logic Apps trigger
B.Sentinel trigger
C.Alert trigger
D.Automation rule trigger
AnswerA

Playbooks are Logic Apps workflows; they use a built-in Logic Apps trigger to respond to Sentinel alerts.

Why this answer

In Microsoft Sentinel, playbooks are built on Azure Logic Apps, and the correct trigger to invoke a playbook automatically when an alert is generated is the Azure Logic Apps trigger. This trigger listens for the Sentinel alert creation event and initiates the playbook workflow. The other options are not valid trigger concepts within Sentinel's architecture.

Exam trap

The trap here is that candidates may confuse the automation rule (which invokes the playbook) with the actual trigger mechanism, leading them to choose 'Automation rule trigger' instead of recognizing that the playbook itself is triggered by an Azure Logic Apps trigger.

How to eliminate wrong answers

Option B is wrong because 'Sentinel trigger' is not a defined trigger type; the actual trigger is an Azure Logic Apps trigger that uses the Sentinel connector. Option C is wrong because 'Alert trigger' is a generic term and not the specific trigger concept used in Sentinel; the trigger is implemented via Logic Apps. Option D is wrong because 'Automation rule trigger' is a misnomer; automation rules can invoke playbooks, but the trigger itself is the Azure Logic Apps trigger, not an automation rule trigger.

1556
MCQeasy

You are configuring a Microsoft Sentinel automation rule to automatically assign incidents to a specific owner based on a custom property. Which action type should you use?

A.Run playbook
B.Assign owner
C.Change status
D.Create ticket (preview)
AnswerB

This action sets the incident owner to a specified user or group.

Why this answer

The 'Assign owner' action type is specifically designed to change the owner of an incident in Microsoft Sentinel. When you need to automatically assign incidents to a specific owner based on a custom property (e.g., a tag or custom field), this action directly modifies the incident's 'Owner' property. Other action types serve different purposes: 'Run playbook' executes a logic app, 'Change status' updates the incident's status (e.g., New, Active, Closed), and 'Create ticket (preview)' creates an external ticket in a connected ticketing system.

Exam trap

The trap here is that candidates often confuse 'Assign owner' with 'Run playbook', thinking a playbook is required to change the owner, but Sentinel provides a native action for this simple property change without needing a Logic App.

How to eliminate wrong answers

Option A is wrong because 'Run playbook' triggers a Logic App workflow, which can include complex logic but is not a direct action to set the incident owner; it is used for automation beyond simple property changes. Option C is wrong because 'Change status' modifies the incident's status (e.g., from New to Active), not the owner assignment. Option D is wrong because 'Create ticket (preview)' generates a ticket in an external system (e.g., ServiceNow) and does not modify the Sentinel incident's owner field.

1557
MCQmedium

You are investigating a potential data exfiltration incident. You notice a user uploading large amounts of data to a cloud storage service that the organization has not approved. Which Microsoft Defender XHR feature would best help you hunt for similar patterns across all users?

A.Custom detection rules in Microsoft Sentinel
B.Advanced hunting in Microsoft Defender XDR
C.Incident investigation graph in Microsoft Defender XDR
D.Automation rules in Microsoft Sentinel
AnswerB

Advanced hunting provides a KQL interface to query raw data across endpoints, identities, and cloud apps for hunting.

Why this answer

Option B is correct because advanced hunting allows you to write custom KQL queries to detect patterns like large uploads to unapproved cloud storage. Option A is wrong because custom detection rules are for creating alerts based on queries, but the question asks for hunting. Option C is wrong because incident investigation focuses on a single incident, not proactive hunting.

Option D is wrong because automation rules automate responses, not hunting.

1558
MCQmedium

Your organization uses Microsoft Sentinel. You are responsible for responding to incidents. A new 'MFA Denied' incident is created from Microsoft Entra ID sign-in logs, indicating that a user in your organization had multiple MFA denials from a suspicious IP address (203.0.113.5). The user is a sales representative who frequently travels. The incident severity is Medium. The incident contains entities: user 'jsmith@contoso.com', IP address 203.0.113.5, and a device running Windows 11. You need to investigate and determine if this is a true positive. The user is currently on a business trip in Europe, but the sign-in attempts originated from an IP address in a different region. What should you do first?

A.Immediately reset the user's password and revoke sessions.
B.Contact the user to confirm if they attempted to sign in at the time of the alerts.
C.Block the suspicious IP address in the Conditional Access policy.
D.Isolate the user's device using Microsoft Defender for Endpoint.
AnswerB

Verifying with the user helps confirm if the activity is legitimate.

Why this answer

Option B is correct because verifying with the user if they attempted to sign in is the fastest way to confirm if the MFA denials were legitimate. Option A is wrong because changing the password prematurely may lock out the user without confirmation. Option C is wrong because containing the device may disrupt the user's work.

Option D is wrong because blocking the IP may be premature if the user's IP changes frequently.

1559
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. An incident is triggered: 'Lateral movement detected - pass-the-hash attack.' The incident includes alerts from Microsoft Defender for Identity (MDI) showing anomalous NTLM authentication attempts from a compromised workstation to multiple servers. The compromised workstation is a Windows 10 device. You need to contain the incident. Which of the following actions should you take FIRST?

A.Reset the krbtgt account password twice.
B.Isolate the compromised workstation using Microsoft Defender for Endpoint.
C.Disable NTLM authentication across the domain.
D.Reset passwords on all servers that received anomalous authentication attempts.
AnswerB

Immediately stops the workstation from authenticating to other servers.

Why this answer

Option A is correct: isolating the compromised workstation stops lateral movement. Option B is wrong: resetting passwords on servers does not stop the attack from the workstation. Option C is wrong: disabling NTLM globally may cause disruption.

Option D is wrong: resetting the krbtgt account is for Kerberos, not NTLM.

1560
MCQmedium

An analyst is investigating an incident where a user's mailbox was compromised. The analyst wants to find all mailbox access events (e.g., logins, message access) performed from a specific IP address. Which Advanced Hunting table in Microsoft 365 Defender should be queried?

A.CloudAppEvents
B.EmailEvents
C.EmailAttachmentInfo
D.AADSignInEventsBeta
AnswerA

Correct. This table logs actions in cloud apps including mailbox access events.

Why this answer

The CloudAppEvents table in Microsoft 365 Defender captures audit logs for cloud applications, including Exchange Online mailbox operations such as logins, message access, and folder bindings. This table contains the 'IPAddress' field, allowing the analyst to filter events from a specific IP address. Other tables lack the necessary scope of mailbox access events or the IP address field for this query.

Exam trap

The trap here is that candidates confuse Azure AD sign-in logs (AADSignInEventsBeta) with mailbox access logs, but Azure AD logs only capture authentication events, not the subsequent application-level operations within Exchange Online.

How to eliminate wrong answers

Option B (EmailEvents) is wrong because it tracks email delivery and transport events (e.g., send, receive, spam verdicts), not mailbox access events like logins or message reads. Option C (EmailAttachmentInfo) is wrong because it focuses on attachment metadata (e.g., file name, hash) and does not include user access logs or IP addresses. Option D (AADSignInEventsBeta) is wrong because it records Azure AD authentication events for user sign-ins to cloud apps, but it does not capture granular mailbox-level operations such as message access or folder browsing within Exchange Online.

1561
MCQmedium

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You receive an incident indicating that a user's account was used to sign in from an unusual location (Russia) while the user is in the United States. The sign-in was successful and no MFA challenge was prompted because the user had a valid session. The incident severity is High. You need to respond immediately. What should you do first?

A.Block the IP address in the Conditional Access policy.
B.Revoke the user's session in Microsoft Entra ID.
C.Investigate the sign-in logs to determine if there are other compromised accounts.
D.Reset the user's password.
AnswerB

Revoking sessions immediately logs out the attacker.

Why this answer

Option A is correct because revoking the user's session invalidates the attacker's access immediately. Option B is wrong because investigating logs takes time and the attacker is still active. Option C is wrong because resetting password does not invalidate the current session.

Option D is wrong because blocking the IP may be too broad and not stop session hijacking.

1562
MCQmedium

Refer to the exhibit. You run this KQL query in Microsoft Defender for Endpoint advanced hunting as part of an incident investigation. The query returns zero results, but you suspect PowerShell execution with encoded commands occurred. What is the most likely reason for no results?

A.The query uses 'contains' which is case-sensitive
B.The table name is incorrect; it should be 'ProcessEvents'
C.The column 'ProcessCommandLine' should be 'CommandLine'
D.The query only looks at the last hour; the event may have occurred earlier
AnswerD

If the event happened more than an hour ago, it would not appear. Also, data ingestion delay could cause the event not to appear yet.

Why this answer

Option D is correct because the query filters on 'DeviceProcessEvents' table, but advanced hunting in Defender for Endpoint uses 'DeviceProcessEvents' only if you are in the Defender portal; however, the table name might be slightly different (e.g., 'DeviceProcessEvents' is correct). The more likely issue is that the time filter is too restrictive (ago(1h) but the event might have occurred earlier, or the data might not yet be ingested. Option A is wrong because the table is correct.

Option B is wrong because the column name is correct. Option C is wrong because the query syntax is valid.

1563
MCQmedium

Refer to the exhibit. You are deploying a Microsoft Sentinel workspace using an ARM template. After deployment, you notice the workspace is in a disabled state for ingesting data. Which parameter is most likely causing this?

A.The location parameter is set to 'eastus' but Sentinel is not available in that region
B.The dailyQuotaInGB parameter sets a daily cap that may have been exceeded
C.The retentionInDays parameter is set to 90, which is less than the default 30 days
D.The workspaceName parameter is set to 'SentinelWorkspace' but the name must be globally unique
AnswerB

The daily cap stops ingestion when reached, causing the workspace to appear disabled for data ingestion.

Why this answer

Option D is correct because the 'dailyQuotaInGB' parameter sets a daily cap on data ingestion. If the cap is reached, ingestion stops until the next day. The workspace will be in a disabled state.

Option A is the workspace name, not an issue. Option B is location, irrelevant. Option C is retention, not ingestion.

1564
MCQmedium

You are a threat hunter using Microsoft Sentinel. You have ingested syslog data from a Palo Alto firewall. You want to create a scheduled query rule that alerts when more than 10 outbound connections to a known bad IP address occur within 5 minutes. Which KQL function should you use to summarize the count?

A.project SourceIp, DestinationIp
B.extend Count = 1
C.summarize count() by SourceIp, DestinationIp
D.join kind=inner (Syslog)
AnswerC

summarize with count() provides the aggregation needed for threshold detection.

Why this answer

Option A is correct because `summarize` aggregates data by specified columns, and `count()` counts rows. Option B is wrong because `project` selects columns, does not aggregate. Option C is wrong because `extend` adds new columns.

Option D is wrong because `join` merges tables.

1565
MCQmedium

An organization ingests its Palo Alto firewall logs into a custom table named 'PaloAlto_CL' in Microsoft Sentinel. A security analyst wants to create a scheduled analytics rule that triggers an incident when a single source IP is involved in more than 100 outbound connections to different destinations in 1 minute. Which KQL query and configuration would trigger the alert correctly?

A.summarize count() by SourceIP, bin(TimeGenerated,1m) and set threshold >100
B.summarize dcount(DestinationIP) by SourceIP, bin(TimeGenerated,1m) and set threshold >100
C.summarize count() by DestinationIP and threshold >100
D.summarize dcount(SourceIP) by DestinationIP, bin(TimeGenerated,1m) and threshold >100
AnswerB

This correctly counts distinct destination IPs per source IP per minute and triggers when that count exceeds 100.

Why this answer

Option B is correct because the requirement is to count distinct destination IPs per source IP per minute, not total connections. Using `dcount(DestinationIP)` with `bin(TimeGenerated,1m)` ensures we count unique destinations, and setting the threshold to >100 triggers when a single source IP connects to more than 100 different destinations in one minute, exactly matching the alert condition.

Exam trap

The trap here is confusing `count()` (total events) with `dcount()` (distinct values), leading candidates to select Option A, which would trigger on repeated connections to the same destination rather than the specified condition of different destinations.

How to eliminate wrong answers

Option A is wrong because `count()` counts all outbound connections, including repeated connections to the same destination, which would overcount and could trigger false positives. Option C is wrong because it groups by DestinationIP only, missing the per-source-IP requirement and the 1-minute time window, and uses a threshold without proper aggregation. Option D is wrong because it uses `dcount(SourceIP)` by DestinationIP, which counts distinct source IPs per destination, the inverse of what is needed, and the threshold >100 would incorrectly trigger on destinations receiving connections from many sources.

1566
MCQeasy

An analyst wants to find all devices that have run a specific process named 'malware.exe' in the last 24 hours using Microsoft 365 Defender Advanced Hunting. Which table should be the primary source for this query?

A.DeviceProcessEvents
B.DeviceEvents
C.DeviceFileEvents
D.DeviceNetworkEvents
AnswerA

DeviceProcessEvents logs process creation events, including the process name. Filtering on FileName == 'malware.exe' will return all executions.

Why this answer

The DeviceProcessEvents table in Microsoft 365 Defender Advanced Hunting is the primary source for querying process creation events, including the execution of a specific process name like 'malware.exe'. This table captures process creation and termination events, making it the correct choice for finding devices that have run a specific process within a given time frame.

Exam trap

The trap here is that candidates may confuse DeviceProcessEvents with DeviceEvents, assuming the latter covers all events, but DeviceEvents is limited to security alerts and audit events, not process creation.

How to eliminate wrong answers

Option B (DeviceEvents) is wrong because it primarily captures system-level events such as security alerts, Windows Defender AV detections, and other audit events, not process creation events. Option C (DeviceFileEvents) is wrong because it tracks file creation, modification, and deletion events, not process execution. Option D (DeviceNetworkEvents) is wrong because it records network connections and related events, not process execution.

1567
MCQhard

Refer to the exhibit. You are analyzing a KQL query used in a custom detection rule in Microsoft Defender XDR. The rule is supposed to detect devices where a parent process launched more than 10 instances of PowerShell or cmd.exe in the last 7 days. However, the query returns no results even though you know such activity exists. What is the most likely reason?

A.The 'extend' line creates a new column that is not used in the subsequent summarize, causing the query to not group by parent process as intended.
B.The 'summarize' operator cannot be used with 'count()' in this context.
C.The 'where' clause filters out all events because the FileName list is incorrect.
D.The 'extend' line uses a column that does not exist in the DeviceProcessEvents schema.
AnswerD

Correct. 'InitiatingProcessParentFileName' is not a valid column; the correct column is 'InitiatingProcessFileName'. This causes the query to fail or return no results.

Why this answer

Option D is correct because the 'extend' line references a column named 'ParentProcessFileName' that does not exist in the DeviceProcessEvents schema. The actual column is 'InitiatingProcessFileName' (or 'ParentProcessName' in some schemas). Since the column doesn't exist, the 'extend' operation fails silently or produces null values, causing the subsequent 'summarize' to group by null and return no results.

Exam trap

The trap here is that candidates assume the column name 'ParentProcessFileName' is correct based on intuition or generic naming conventions, without verifying the actual schema of the DeviceProcessEvents table in Microsoft Defender XDR.

How to eliminate wrong answers

Option A is wrong because the 'extend' line creates a new column that is indeed used in the 'summarize' operator (the 'by' clause references 'ParentProcessFileName'), so the grouping is not broken by an unused column. Option B is wrong because 'summarize' with 'count()' is perfectly valid in KQL and commonly used to count rows per group. Option C is wrong because the 'where' clause filters on 'FileName' with 'has' operators, which is syntactically correct; the issue is not with the filter logic but with a missing column upstream.

1568
MCQmedium

A security analyst is configuring a Microsoft Sentinel playbook to automate the response to phishing incidents. When an incident is created based on a phishing analytics rule, the playbook needs to execute an action in Microsoft 365 Defender, such as blocking the sender email address. Which connector should the analyst add to the playbook to interact with Microsoft 365 Defender?

A.Microsoft 365 Defender connector
B.Microsoft Entra ID connector
C.Azure DevOps connector
D.Teams connector
AnswerA

This connector provides actions to interact with Microsoft 365 Defender, such as blocking email senders or isolating devices.

Why this answer

The Microsoft 365 Defender connector is the correct choice because it provides the necessary actions to interact directly with Microsoft 365 Defender components, such as blocking a sender email address via the Advanced Hunting or action APIs. This connector enables the playbook to trigger remediation actions like email quarantine or sender block within the Microsoft 365 Defender portal, which is essential for automating responses to phishing incidents in Microsoft Sentinel.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender connector with the Microsoft Entra ID connector, assuming identity actions can block email senders, but Entra ID lacks the email security APIs required for such remediation.

How to eliminate wrong answers

Option B is wrong because the Microsoft Entra ID connector is designed for identity and access management actions (e.g., revoking user sessions, disabling accounts), not for email security actions like blocking a sender in Microsoft 365 Defender. Option C is wrong because the Azure DevOps connector is used for managing work items, pipelines, and repositories in Azure DevOps, not for security response actions in Microsoft 365 Defender. Option D is wrong because the Teams connector is used for sending messages or notifications to Microsoft Teams channels, not for executing remediation actions like blocking a sender email address.

1569
Multi-Selectmedium

Which TWO are valid sources of evidence in a Microsoft Sentinel incident? (Choose two.)

Select 2 answers
A.Playbooks
B.Watchlists
C.Alerts
D.Bookmarks
E.Hunting queries
AnswersC, D

Alerts are the primary evidence linked to an incident.

Why this answer

Options A and C are correct. Alerts and bookmarks are evidence items in an incident. Option B is wrong because watchlists are reference data, not evidence.

Option D is wrong because hunting queries are not stored as evidence. Option E is wrong because playbooks are automation, not evidence.

1570
MCQhard

A security analyst is investigating an advanced persistent threat (APT) campaign that involves lateral movement using RDP. The analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when a device remotely connects to another device via RDP (process: mstsc.exe) and, within 10 minutes, the remote device executes a suspicious script (e.g., PowerShell.exe with encoded command). Which KQL query pattern in advanced hunting should be used to correlate these events across devices?

A.DeviceProcessEvents | where FileName == 'mstsc.exe' | join DeviceProcessEvents on DeviceName | where (Timestamp2 - Timestamp1) between (0m..10m) and FileName == 'powershell.exe'
B.DeviceProcessEvents | where FileName == 'mstsc.exe' | project SourceDevice = DeviceName, TimeGenerated, RemoteDevice = extract(remote device from command line) | join kind=inner (DeviceProcessEvents | where FileName == 'powershell.exe') on $left.RemoteDevice == $right.DeviceName and $left.TimeGenerated between ($right.TimeGenerated-10m .. $right.TimeGenerated)
C.DeviceProcessEvents | where FileName in~ ('mstsc.exe', 'powershell.exe') and TimeGenerated > ago(1h) | summarize makelist(DeviceName) by bin(TimeGenerated, 10m)
D.DeviceProcessEvents | where FileName == 'mstsc.exe' | extend RemoteDevice = extract(...,1, ProcessCommandLine) | join kind=inner (DeviceProcessEvents | where FileName == 'powershell.exe') on $left.RemoteDevice == $right.DeviceName and $left.TimeGenerated between ($right.TimeGenerated - 10m .. $right.TimeGenerated)
AnswerB

This pattern extracts the remote device from the mstsc command line and joins with PowerShell events on the remote device within a 10-minute window after the RDP connection.

Why this answer

Option B is correct because it uses the `extract()` function to parse the remote device name from the `mstsc.exe` command line (e.g., `mstsc.exe /v:REMOTE_PC`), then performs an inner join with `DeviceProcessEvents` for `powershell.exe` on the condition that the remote device name matches and the `mstsc.exe` timestamp falls within a 10-minute window before the PowerShell execution. This precisely correlates the lateral movement (RDP connection) with the subsequent suspicious script execution on the target device, which is the required detection pattern.

Exam trap

The trap here is that candidates often overlook the need to extract the remote device from the `mstsc.exe` command line and instead join on `DeviceName`, which would incorrectly correlate events on the same device rather than across devices, or they misorder the time window (checking after instead of before).

How to eliminate wrong answers

Option A is wrong because it joins on `DeviceName` instead of extracting the remote device from the command line, so it would only match events on the same device, not across devices; also, `Timestamp2` and `Timestamp1` are not valid fields in `DeviceProcessEvents`. Option C is wrong because it simply groups both process events into 10-minute bins without correlating the RDP connection to a specific remote device, producing a list of devices rather than a cross-device sequence. Option D is wrong because it uses an incomplete `extract()` syntax (missing the capture group index and the regex pattern), and the join condition uses `$left.TimeGenerated between ($right.TimeGenerated - 10m .. $right.TimeGenerated)` which incorrectly checks if the RDP event occurred after the PowerShell event, whereas the correct logic requires the RDP event to occur before the PowerShell event.

1571
MCQmedium

A SOC analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect anomalous Microsoft Entra ID sign-ins. The rule runs every 5 minutes and queries the SigninLogs table for sign-ins from IP addresses outside the organization's known country codes. To avoid duplicates, the rule should generate an incident only once for a particular user-IP combination until the combination is not seen for 60 minutes. Which configuration should the analyst use in the analytics rule wizard?

A.Alert details section
B.Query scheduling section
C.Incident settings tab - Grouping configuration
D.Entity mapping section
AnswerC

The grouping configuration allows resetting the grouping window, preventing duplicate incidents for repeated events within that window.

Why this answer

Option C is correct because the Incident settings tab's Grouping configuration allows you to group alerts into a single incident based on specific criteria, such as user-IP combination, and to suppress re-creation of an incident for a defined time window (e.g., 60 minutes) after the last occurrence. This directly addresses the requirement to avoid duplicate incidents for the same user-IP pair until it is not seen for 60 minutes.

Exam trap

The trap here is that candidates often confuse the Query scheduling section's 'Run query every' and 'Lookup data from the last' settings with deduplication, not realizing that those control query frequency and data range, not incident grouping or suppression based on entity combinations.

How to eliminate wrong answers

Option A is wrong because the Alert details section is used to configure the alert's name, description, severity, and tactics, not to control incident grouping or deduplication logic. Option B is wrong because the Query scheduling section defines how often the rule runs and the query lookback period, but it does not provide settings to group alerts or suppress duplicates based on entity combinations. Option D is wrong because Entity mapping section maps query results to entities (e.g., user, IP) for correlation and investigation, but it does not include any grouping or deduplication configuration.

1572
Multi-Selecthard

Your Microsoft Defender XDR environment has an advanced hunting query that returns devices potentially affected by a known vulnerability. You want to create a custom detection rule that triggers an alert when more than 10 devices are affected. Which THREE steps are required?

Select 3 answers
A.Set the rule frequency and threshold to trigger when the query returns more than 10 results.
B.Configure the rule action to generate an alert in Microsoft Defender XDR.
C.Assign the rule to a severity level.
D.Create a Power Automate flow to send an email when the rule triggers.
E.Save the advanced hunting query as a custom detection rule.
AnswersA, B, E

Thresholds and frequencies are configured in the rule settings.

Why this answer

Options A, C, and D are correct. You need to save the query as a custom detection rule, configure the threshold, and set the action to generate an alert. Option B is not required because the rule runs on a scheduled basis; Option E is for Power Automate flows, not necessary.

1573
MCQmedium

Your security operations center (SOC) uses Microsoft Sentinel with a custom analytics rule that generates an incident when more than 10 failed logons occur within 5 minutes. During a review, you notice that a single user triggered the rule by forgetting their password multiple times. The incident was automatically closed by a playbook. What is the most effective way to reduce false positives for this rule?

A.Increase the threshold to 20 failed logons
B.Create a playbook to automatically close the incident
C.Disable the analytics rule
D.Change the rule to group events by user
AnswerA

A higher threshold reduces noise from password mistakes while still detecting brute-force attacks.

Why this answer

Option D is correct because adjusting the threshold (e.g., to 20 failures) reduces false positives while still capturing brute-force attacks. Option A is wrong because disabling the rule removes detection entirely. Option B is wrong because grouping by user still generates an incident per user.

Option C is wrong because a playbook to close incidents does not prevent generation.

1574
MCQeasy

A security analyst needs to contain a compromised device that is spreading malware in the network. The device is enrolled in Microsoft Intune and managed by Microsoft Defender for Endpoint. What is the fastest way to isolate the device from the network?

A.Disable the device in Microsoft Intune.
B.Use Microsoft Defender for Endpoint to initiate device isolation.
C.Perform a remote wipe of the device from Microsoft Intune.
D.Block the user's account in Microsoft Entra ID.
AnswerB

Device isolation blocks all network traffic except communication with Defender for Endpoint cloud services.

Why this answer

Option A is correct because Defender for Endpoint supports device isolation action. Option B is wrong because disabling the device in Intune only prevents new management commands. Option C is wrong because wiping the device is destructive and may not be fastest.

Option D is wrong because blocking the user's account does not isolate the device.

1575
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. A security analyst reports that incidents related to ransomware are not being automatically triaged by the SOC automation playbook. You confirm that the playbook is enabled and connected to the analytics rule. What is the most likely cause of the issue?

A.The Microsoft Sentinel workspace is in a different region than Microsoft Defender XDR.
B.The incident is not being created by the analytics rule.
C.The playbook is not associated with the correct analytics rule in the automation rule.
D.The automation rule that triggers the playbook is set to run only when the incident is created by a specific provider (e.g., Microsoft Defender XDR), but the incident is created by Microsoft Sentinel.
AnswerD

If the automation rule filters by provider, it will not trigger for incidents created by other providers.

Why this answer

Option D is correct because the playbook uses an automation rule that triggers on incident creation, and if the incident is not created by the correct provider (e.g., Microsoft Defender XDR), the playbook won't fire. Option A is wrong because Sentinel workspaces can be in any region; region mismatch affects data residency but not playbook triggering. Option B is wrong because playbooks are triggered by automation rules, not by the analytics rule itself.

Option C is wrong because the incident is already created; the issue is the automation rule trigger.

Page 20

Page 21 of 22

Page 22